Week 1: Understanding Compliance

Question 1

Meeting and maintaining compliance has its benefits… you better know what exactly they are.

Date Question opens: 5/1/2017

Question type: Multiple choice - one right answer

Question text: Which of the following is NOT considered an ancillary benefit of meeting and maintaining compliance with one or more regulatory compliance frameworks/schemes?

Hint link: (8:54)

  • Correct answer: Impenetrable IT security
  • Incorrect answer: Improved incident response
  • Incorrect answer: Reduced IT risk
  • Incorrect answer: Lower cyberinsurance costs

Follow up: If you watch the fourth and final installment of our Security Kung Fu Webinar Series, you’ll understand “compliant” does not always equate to“secure.”

Question 2

Compliance schemes/regimes generally have a similar structure

Date Question opens: 5/2/2017

Question type: Multiple choice - one right answer

Question text:

Which answer choice depicts a logical ordering of implementing a compliance scheme?:

Hint link:

  • Correct answer: Policy > Process > Controls > Verification > Certification
  • Incorrect: Policy > Process > Verification > Controls > Certification
  • Incorrect: Certification > Verification > Controls > Process > Policy

Follow up: It’s important to note that not all governing bodies of the leading compliance frameworks offer certification for demonstrating compliance. Take the Health Insurance Portability and Accountability Act (HIPAA), for instance. Thoughthere are HIPAA training coursesthat allow an individual to become “HIPAA-certified,” the OCR does not offer certifications to businesses that pass audits for HIPAA compliance.

Source: HHS.Gov

Question 3

If your business must comply with a major IT regulatory framework or scheme, you may be subject to serious penalties for noncompliance.

Date Question opens: 5/3/2017

Question type: Multiple choice - select ALL that apply

Question text: Not adhering to a compliance program can have severe consequences, especially when breaches are involved. Which of the following can result from noncompliance alone? Select ALL that apply.

Hint link:

  • Withdrawal or suspension of a business-critical service
  • Externally defined remediation programs
  • Fines
  • Criminal liability

Follow up:Regulatory IT compliance violations are punishable by all of these means and more.

Question 4

The occurrence of both of these types of events can lead to compliance violations, but knowing the difference between the two can save your business from a world of hurt.

Date Question opens: 5/4/2017

Question type: Multiple choice - one right answer

Question text: Match the phrase to its appropriate definition:

A) An incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.

B) A security event that compromises the confidentiality, integrity, or availability of an information asset.

Hint link:

  • Correct answer: A – Breach,B – Incident
  • Incorrect answer: A – Incident, B – Breach

Follow up: Security incidents are essentially the primer for the investigation as to whether an actual breach has occurred. At this point, it is the duty of the parties involved to prove the limited impact of the security incident in order to shield themselves from the fines, penalties, and general headache that will come as a result of being labeled as a “breach.”

Question 5

If your business interacts with sensitive data that falls under the protection of HIPAA, PCI, NCUA, SOX, GLBA, or other frameworks, then compliance should be on your radar.

Date Question opens: 5/5/2017

Question type: Answer a poll question

Question text: Poll: Which of the following industries does your business serve?

Hint link: N/A

  • Correct answer: Financial services
  • Correct answer: Healthcare
  • Correct answer: Technology
  • Correct answer: Federal
  • Correct answer: Education
  • Correct answer: Other

Week 2: The Industry Perspective

Question 6

No locale, industry, or organization is bulletproof when it comes to data being compromised, even with a multitude of compliance frameworks governing methods used to prevent the unlawful use or disclosure of sensitive data.

Date Question opens: 5/8/2017

Question type: Multiple choice - one right answer

Question text: In the past year, which industry experienced the highest number of breaches of sensitive information? For reference, we have highlighted the key compliance frameworks that guide these industries.

Hint link:

  • Correct answer: Financial services - PCI DSS, NCUA, SOX, GLBA, and more
  • Incorrect answer: Healthcare - HIPAA
  • Incorrect answer: Technology - ISO, COBIT, and more
  • Incorrect answer: Federal - FISMA, NERC CIP, GPG 13, and more
  • Incorrect answer:Education - FERPA
  • Incorrect answer:Other

Follow up: Financial data continues to be a top target of hackers, and although security of point of sale (POS) systems areimproving to make credit card transactions more secure, there are countless other threats to worry about.

Question 7

Healthcare is increasingly targeted by cyberattacks, including a spree of high-profile breaches and increased enforcement efforts from the OCR over the past few years.

Date Question opens: 5/9/2017

Question type: Multiple choice - one right answer

Question text: What type of data are hackers after if your business is in the healthcare industry?

Hint link:

  • Correct answer: ePHI
  • Incorrect answer: CD or CHD
  • Incorrect answer: PII
  • Incorrect answer: IP

Follow up: “ePHI” stands for Electronically Protected Health Information and constitutes a wide variety of data sets. Compromises of this type of data can lead to fraud, medical identity theft, financial harm, and so much more. It’s no wonder there is an increasing severity of penalties for breaches of healthcare-related data.

Question 8

Regardless of the industries they serve, publicly traded companies in the United States are subject to their own form of compliance by way of one specific framework. Tough news for IT pros, but this too will impact your work.

Date Question opens: 5/10/2017

Question type: Multiple choice - one right answer

Question text: Which compliance framework was established as direct result of accounting scandals at Enron, WorldCom, Global Crossing, Tyco, and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses?

Hint link:

  • Correct answer: Sarbanes-Oxley Act of 2002 (SOX)
  • Incorrect answer: Payment Card Industry Data Security Standards (PCI DSS)
  • Incorrect answer: The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Incorrect answer: The Federal Information Security Management Act (FISMA)
  • Incorrect answer: The EU General Data Protection Regulation (GDPR)

Question 9

While some compliance frameworks can be very prescriptive, others rely on certain risk management frameworks to guide the actions of IT professionals in maintaining the confidentiality, integrity, and availability of sensitive data of all types.

Date Question opens: 5/11/2017

Question type: Multiple choice - one right answer

Question text: Which of the following risk management frameworks bears an influence in meeting and maintaining compliance with some of the top compliance frameworks, including HIPAA, PCI DSS, SOX, and more? Select ALL that apply.

Hint link:

  • NIST
  • ISO
  • COBIT

Follow up: Risk management frameworks such as NIST 800, ISO 27001, and COBIT have been used for years as guides for IT pros looking to meet and maintain compliance, from the IT perspective, with a wide variety of compliance regimes spanning multiple industries.

Question 10

While STIGs are mandatory for DoD agencies, any civilian agency, and even commercial private companies, arewelcome to use the STIGs to improve IT security and maintain compliance.

Date Question opens: 5/12/2017

Question type: Multiple choice - select ALL that apply

Question text: STIGs come with documentation andconfiguration settings for a range of risk environments. Which systems do these include[RS1]? Select ALL that apply.

Hint link:

  • Applications
  • Mobile
  • Networks
  • Operating Systems

Follow up: STIGs, like the risk management frameworks cited in yesterday’s question, can be used to maintain compliance, too. So, Fed or no Fed, you may have something to learn from the hint resource we provided.

Week 3:Risks to Compliance and Risks of Non-Compliance

Question 11

Despite InfoSec folklore, the actors most often involved in a breach of sensitive information are coming from outside your company. Unfortunately, understanding the source of these threats is only half the battle when it comes to maintaining IT security and compliance.

Date Question opens: 5/15/2017

Question type: Multiple choice - select ALL that apply

Question text: Which of the following three types of cyberattacks can be classified as an external threat? Select ALL that apply.

Hint link: SolarWinds Security Threats Video (15:47 - 34:35)

  • Technical attacks
  • Phishing attacks
  • Physical attacks
  • Incorrect answer: Fishing attacks

Follow up: Undoubtedly, there are numerous risks to IT security and compliance. But as they say, “knowledge is half the battle.”

Question 12

Regardless of the fact that the majority of the threats to your data and compliance initiatives come from beyond the four walls of your businesses, that's not to say your fellow employees can't somehow be involved.

Date Question opens: 5/16/2017

Question type: Multiple choice - one right answer

Question text: Which of the following exploits is classified as "a form of social engineering in which a message, typically an email, with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment."

Hint link:Would you know if your network was breached? Read this article:

  • Correct answer: Phishing
  • Incorrect answer: Pre-texting
  • Incorrect answer: Baiting
  • Incorrect answer: Elicitation

Follow up: Phishing attacks are rising in prevalence because, well, they work. The development of security awareness training (which is sometimes a requirement of certain compliance frameworks) could contribute to avoiding such issues altogether.

Question 13

When an auditor comes knocking on your door, will you be prepared to demonstrate your compliance?

Date Question opens: 5/17/2017

Question type: Multiple choice - one right answer

Question text: Which aspect of compliance is often considered the most tedious, yet crucial when it comes to demonstrating compliance?

Hint link:

  • Correct answer: Documenting compliance
  • Incorrect answer: Understanding compliance
  • Incorrect answer: Building policies and procedures for compliance
  • Incorrect answer: Identify which network devices, systems, and applications must be monitored for compliance

Follow up: Documentation is absolutely critical for demonstrating compliance to auditors. It is important that you arm yourself with the right tools to help you meet this important objective. Fortunately, there are many solutions in the market place that can lend a hand.

Question 14

If your business must comply with a major IT regulatory framework or "scheme," you may be subject to serious penalty[RS2] for non-compliance.

Date Question opens: 5/18/2017

Question type: Multiple choice - select ALL that apply

Question text: Not adhering to a compliance program can have severe consequences, especially when breaches are involved. Which of the following can result from noncompliance?

Hint link:

  • Incorrect answer: Withdrawal or suspension of a business-critical service
  • Incorrect answer: Externally defined remediation programs
  • Incorrect answer: Fines
  • Incorrect answer: Criminal liability
  • Correct answer: IT compliance violations are punishable by all of the above and more.

Follow up: Although IT compliance violations are not punishable by the termination of your business, this can be an after effect. Fines, penalties, and damage of reputation can be a lot to brunt.

Question 15

The cost of a breach goes well beyond the fines and penalties levied by enforcement agencies. It also includes the cost of detecting the root cause of a breach, remediating it, and notifying those affected. There are also legal expenditures, business-related expenses, and loss of revenue by damaged brand reputation to take into account, as well.

Date Question opens: 5/19/2017

Question type: Multiple choice - one right answer

Question text: True or False: The price that businesses pay for sensitive data breaches is on the rise globally.

Hint link: You do the math!

  • Correct answer: True
  • Incorrect answer: False

Follow up: According to the Ponemon Institute, the cost associated with a data breach has risen year over year to a current $4 million.

Source: 2016 Cost of a Data Breach Study

Week 4: Tools for Compliance in IT

Question 16

Log collection and retention is required among some of the most common compliance frameworks.However, it is what you can do with this log data that truly benefits both compliance and IT security.

Date Question opens: 5/22/2017

Question type: Multiple choice - one right answer

Question text: Which type of software makes it easy to manage and analyze log files, conduct file integrity monitoring, mitigate threats, and automate compliance processes,including the generation of reporting for the purpose of surviving a compliance audit?

Hint link:

  • Correct answer: Security Information and Event Management (SIEM) Software
  • Incorrect answer: Patch Management Software
  • Incorrect answer: Network Change and Configuration Management (NCCM) Software
  • Incorrect answer: Managed File Transfer (MFT) Server Software

Follow up: SIEM solutions, which enable the collection of logs from devices across the network, are increasingly essential for compliance due to their ability to keep a running track record of security incidents and how businesses respond to them.

Question 17

What is a company to do when the very software that helps run their business can sometimes be the cause of compliance violations, or worse, a cyberattack?

Date Question opens: 5/23/2017

Question type: Multiple choice - one right answer

Question text:

Hint link: Which solution involves the acquisition, testing, and installing of code into an executable program to provide an update, fix, or improved version of the program or its supporting data?

  • Correct answer: Patch Management Software
  • Incorrect answer: Network Change and Configuration Management (NCCM) Software
  • Incorrect answer: Managed File Transfer (MFT) Server Software
  • Incorrect answer: Security Information and Event Management (SIEM) Software

Follow up: Critical for IT security, patch management is explicitly stated as a must-have for compliance with PCI DSS. It’s your data—how do you protect it?

Question 18

As alluded to in several of the hints we’ve provided thus far, automating compliance holds a multitude of benefits. Here’s one solution that can help with this.

Date Question opens: 5/24/2017

Question type: Multiple choice - one right answer

Question text: In addition to assisting with reporting, which software can help you standardize configs, detect out-of-process changes, audit configurations, and even correct compliance violations?

Hint link:

  • Correct answer: Network Change and Configuration Management (NCCM) Software
  • Incorrect answer: Managed File Transfer (MFT) Server Software
  • Incorrect answer: Security Information and Event Management (SIEM) Software
  • Incorrect answer: Patch Management Software

Question 19

Much of compliance is centered around securing data in transit and at rest. Encryption is an obvious choice, but there is more involved in getting data from point A to point B.

Date Question opens: 5/25/2017

Question type: Multiple choice - one right answer

Question text: Which solution has the ability to assist with certain requirements surrounding the confidentiality, integrity, and availability of sensitive data in transit and at rest?

Hint link:

  • Correct answer: Managed File Transfer (MFT) Server Software
  • Incorrect answer: Security Information and Event Management (SIEM) Software
  • Incorrect answer: Patch Management Software
  • Incorrect answer: Network Change and Configuration Management (NCCM) Software

Question 20

Just like the compliance regimes/schemes/frameworks vary, so do the solutions a company should employ to align their business with the goal of achieving compliance.

Date Question opens: 5/26/2017

Question type: Multiple choice - select ALL that apply

Question text: Which SolarWinds Core IT software solutions has the ability to immediately impact the objective of meeting and maintaining regulatory IT compliance across a broad array of compliance frameworks?

Hint link: Sorry, you're on your own for this one. Time sink or swim.

  • Correct answer: All of the above
  • Incorrect answer: SolarWinds Log & Event Manager
  • Incorrect answer: SolarWinds Patch Manager
  • Incorrect answer: SolarWinds Network Configuration Manager
  • Incorrect answer: Serv-U MFT Server by SolarWinds

Follow up: In all honesty, the saying “it takes a village” applies to compliance. No single solution can help you be compliant.

[RS1]Please confirm that this edit is okay. I didn’t understand what the question was asking in its original structure.

[RS2]Should this be plural?